RE: httpd.conf with mod_ssl and MM
I am
using Linux
Thanks
for your help. It set me on the right tracks.
It is
working now.
I used
a different build method, because I already have a makefile
Can
you give me some pointer on the difference between
SSLCacheSession dbm and shm and shmct and
shmcb.
Thanks
Gilles
-Original Message-From: Courtin Bert
[mailto:[EMAIL PROTECTED]]Sent: Wednesday, October 09, 2002
12:17 AMTo: [EMAIL PROTECTED]Cc:
[EMAIL PROTECTED]Subject: RE: httpd.conf with mod_ssl and
MM
Hi
Gilles,
1)
Put all the necessary sources to a dir below e.g. SOURCES. Make sure you use
the latest ones available as recently some mayor security fixes had been
done.
All
the following works fine on solaris 8 with a gcc
-> SOURCES/apache-1.3.27
-> SOURCES/mm-1.2.1
-> SOURCES/mod_ssl-2.8.11-1.3.27
->
SOURCES/openssl-0.9.6.g
2)
Assume the following set up for some variables
COMPILER="gcc"
# Specify the compiler to use
TARGET_DIR="opt"
# This is where the *compiled* sources will be
installedSOURCES_SUBDIR="SOURCES"
# To this subdir the zipped sources will be unzipped and
untared
APACHE_DIR="apache-1.3.27"
# Now we're defining the names of the subdirectories for the program
sourcesMM_DIR="mm-1.2.1"
# Most arcives will be extracted to a subdirname related to the
arciveOPENSSL_DIR="openssl-0.9.6g"
# filename but e.g. "c-client.tar.Z will be extracted to
"imap-2001a"MODSSL_DIR="mod_ssl-2.8.11-1.3.27" # will be
detected automatically below based on the info you state
here.
2)
Compile MM
mm
has to be configured someting like this (on solaris using
gcc):
./configure --prefix=/${TARGET_DIR}/${MM}
\ --with-gcc
\ --disable-shared
maybe you'll also specify (but not nec needed)
--enable-batch
\ --with-shm=IPCSHM
After this, you may need to do
LD_LIBRARY_PATH=/${TARGET_DIR}/${MM}/lib:/${TARGET_DIR}/${MM}/bin:$LD_LIBRARY_PATHexport
LD_LIBRARY_PATH
2) Comile openssl
In the openssl-dir do
./config
--prefix=/${TARGET_DIR}/${OPENSSL} -fPIC shared
After making openssl do
export
SSL_BASE=/${TARGET_DIR}/${OPENSSL}LD_LIBRARY_PATH=/${TARGET_DIR}/${OPENSSL}/lib:/${TARGET_DIR}/${OPENSSL}/bin::$LD_LIBRARY_PATHexport
LD_LIBRARY_PATH
3) Apply mod_ssl to apache source
tree
Changing to SUBDIR where you keep your sources for
mod_ssl
Do
CC=${COMPILER}
\CPFLAGS="-I/${TARGET_DIR}/${OPENSSL}/include"
\CFLAGS="`../${MM}/mm-config --cflags`"
\LDFLAGS="-L/${TARGET_DIR}/${OPENSSL}/lib `../${MM}/mm-config --ldflags`"
\LIBS="-lm `../${MM}/mm-config --libs`"
\EAPI_MM="../${MM}"./configure --prefix=/${TARGET_DIR}/${APACHE}
\
--enable-rule=EAPI
\
--with-apache=../${APACHE}
\
--with-ssl=../${OPENSSL}
\
--with-mm=../${MM}
\
--disable-rule=SSL_COMPAT
\
--enable-module=ssl
4)
For the configuration of Apache you'll need to specify:
If
you do not need to specifiy anything else, change to apaches source dir and
type 'make', in any other case do change to apaches source dir and do
CC="${COMPILER}" \EAPI_MM="../${MM}"
\CPFLAGS="-I/${TARGET_DIR}/${OPENSSL}/include"
\CFLAGS="`../${MM}/mm-config --cflags`"
\LDFLAGS="-L/${TARGET_DIR}/${OPENSSL}/lib `../${MM}/mm-config --ldflags`"
\LIBS="`../${MM}/mm-config --libs`"
\INCLUDE="-I/${TARGET_DIR}/${OPENSSL}/include
-I/${TARGET_DIR}/${MM}/include" \./configure
--prefix=/${TARGET_DIR}/${APACHE}
\
--enable-rule=EAPI
\
--enable-module=ssl
\ --add
more options if needed
This
should make shared mem available for apache/mod_ssl.
BTW:
Which platform are you using?
Hope
this helps - good luck
Kind
regards,
Bert
Courtin
-Original Message-From: Gilles Gros
[mailto:[EMAIL PROTECTED]]Sent: Wednesday, October 09, 2002
7:09 AMTo: [EMAIL PROTECTED]Subject: httpd.conf
with mod_ssl and MM
Hi,
Having
just heard about MM, I am trying to use it.
I compile
my apache, but when I try to start it, I get :
Syntax error on line 59 of
/opt/apache/conf/local_conf/mod_ssl.conf:SSLSessionCache: shared memory
cache not useable on this platform
and line 59 there is :
SSLSessionCache
shmcb:/usr/local/apache/logs/ssl_scache(512000)
How can I take
advantage of shmcb and shmct as
SSLSessionCache methods.
Thanks.
Gilles
RE: Site for modssl.org
An rpm for mod_ssl comes with Red Hat 7.2 (I assume that's what you are referring to). As for latest, there should be an update available from Red Hat fairly soon. - John Airey, BSc (Jt Hons), CNA, RHCE Internet systems support officer, ITCSD, Royal National Institute of the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] Theories of evolution are like buses - there'll be another one along in a minute -Original Message- From: Robert Lagana [mailto:[EMAIL PROTECTED]] Sent: 08 October 2002 18:02 To: '[EMAIL PROTECTED]' Subject: Site for modssl.org Hi, I can't hit http://www.modssl.org I'm in need of the latest rpm or tarball for linux 7.2 Does anyone have another site I could use to download? Thanks, Rob - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
modssl-users@modssl.org
Hello, i'm using Apache/2.0.42 with integrated mod_ssl/2.0.42. Is it possible to upgrade to a higher version or is it the latest/SECURE release of modssl for apache 2? Lots of security scanner (nessus, slapperscan..) had found an https/ssl security hole. Apache start message: Apache/2.0.42 (Unix) mod_ssl/2.0.42 OpenSSL/0.9.6g configured -- resuming normal operations thanks, Janek __ Jetzt testen fur 1 Euro! Ihr All-in-one-Paket! https://digitaledienste.web.de/Club/?mc=021106 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE:
As long as you have OpenSSL 0.9.6g then you are fine. -Original Message- From: Janek Richter [mailto:[EMAIL PROTECTED]] Sent: 09 October 2002 10:16 To: [EMAIL PROTECTED] Subject: Hello, i'm using Apache/2.0.42 with integrated mod_ssl/2.0.42. Is it possible to upgrade to a higher version or is it the latest/SECURE release of modssl for apache 2? Lots of security scanner (nessus, slapperscan..) had found an https/ssl security hole. Apache start message: Apache/2.0.42 (Unix) mod_ssl/2.0.42 OpenSSL/0.9.6g configured -- resuming normal operations thanks, Janek __ Jetzt testen fur 1 Euro! Ihr All-in-one-Paket! https://digitaledienste.web.de/Club/?mc=021106 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
modssl and apache2
Hello, i'm using Apache/2.0.42 with integrated mod_ssl/2.0.42. Is it possible to upgrade to a higher version or is it the latest/SECURE release of modssl for apache 2? Lots of security scanner (nessus, slapperscan..) had found an https/ssl security hole. Apache start message: Apache/2.0.42 (Unix) mod_ssl/2.0.42 OpenSSL/0.9.6g configured -- resuming normal operations thanks, Janek __ Die clevere Geldreserve: der DiBa-Privatkredit. Funktioniert wie ein Dispo, ist aber viel gunstiger! Alle Infos: http://diba.web.de/?mc=021104 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
More on IE 5 "Document not found"
I'm setting up a SSL website, and, like the most, I faced some problem with IE5 about SSLv3 connections. It's true that unsetting SSLv3 in preferences solve the problem, but I can't say everyone to change settings. Reading this maling list I've found the SSLCipherSuite magic string: ALL:!ADH:!EXPORT56:-SSLv3:RC4:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL Sadly, this didn't work for me. Some IE 5.0 keep giving me "Document not found" errors, and some time same browsers behave differently on different platform (that is, IE5 on NTW works, IE5 on Win98 does not). I started using OpenSSL to test a website that I knew working without problems (https://www.sportscommesse.it/, if you liked to try). With OpenSSL s_client, I read SSLv3 ciphers, and I found this website used RC4-SHA. Mine gave EDH-RSA-DES-CBC3-SHA. Does IE5 only like RC4? So I modified SSLCipherSuite this way: "ALL:!ADH:-SSLv3:RC4:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP" Problems have disappeared. I would like to know if I'm losing some security or functionality doing this. Thank you. Ermanno BTW, what's happening to www.modssl.org website? "Fletto i muscoli, e sono nel vuoto" __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Openssl/modssl on automounted partition?
Is OpenSSL required to be installed locally to work with mod_ssl as opposed to building Apache/mod_ssl from a NFS mounted install of openssl? My experiences are indicating that YES openssl should be installed on a local filesystem? Is this correct? I just built Apache/mod_ssl-2.8.11-1.3.27/openssl-0.9.6g on UNIX/Solaris8 using an installation of openssl on a NFS mounted partition and I am getting this pop-up message when I try to access the server via https: "SSL has recieved an error from the server indicating an incorrect Message Authentication Code. This could indicate a network error, a bad server implementation, or a security violation." apache/error_log: [Wed Oct 9 09:31:12 2002] [error] mod_ssl: SSL handshake failed (server myserver.com:443, client 141.102.34.157) (OpenSSL library error follows) [Wed Oct 9 09:31:12 2002] [error] OpenSSL: error:1408F455:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac All my other Apache/modssl/openssl servers are working fine, although they are built using a local install of openssl. If this is true. maybe it should be added to the FAQs or the INSTALL file? Thanks, -Carlos __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: ApacheCore.dsp patch for Apache-1.3.26 + mod_ssl-2.8.10-1.3.26
On Wed, Oct 09, 2002 at 11:38:04AM -0400, Robert Tsai wrote: > The mod_ssl diffs don't allow a VC++ build out of the box; being a > non-Windows user forced to build for VC++, I beat my head for about a Sorry, I forgot to also include a similar patch for src/ap/ap.dsp: //depot/prod/champagne/main/src/apache_1.3.26/src/ap/ap.dsp#2 - /u/rtsai/p4 /champagne/src/apache_1.3.26/src/ap/ap.dsp 44c44 < # ADD CPP /nologo /MD /W3 /O2 /I "..\include" /I "..\os\win32" /D "WIN32" /D " NDEBUG" /D "_WINDOWS" /Fd"LibR\ap" /FD /c --- > # ADD CPP /nologo /MD /W3 /O2 /I "..\include" /I "..\os\win32" /D "NDEBUG" /D "WIN32" /D "_WINDOWS" /D "EAPI" /Fd"LibR\ap" /FD /c 67c67 < # ADD CPP /nologo /MDd /W3 /GX /Zi /Od /I "..\include" /I "..\os\win32" /D "WI N32" /D "_DEBUG" /D "_WINDOWS" /Fd"LibD\ap" /FD /c --- > # ADD CPP /nologo /MDd /W3 /GX /Zi /Od /I "..\include" /I "..\os\win32" /D "_D EBUG" /D "WIN32" /D "_WINDOWS" /D "EAPI" /Fd"LibD\ap" /FD /c -- Robert Tsai [EMAIL PROTECTED] http://www.netapp.com/ 404-228-9983 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
ApacheCore.dsp patch for Apache-1.3.26 + mod_ssl-2.8.10-1.3.26
The mod_ssl diffs don't allow a VC++ build out of the box; being a non-Windows user forced to build for VC++, I beat my head for about a day trying to figure out what went wrong. I didn't see anything about this at http://marc.theaimsgroup.com/?l=apache-modssl so I thought I'd contribute a patch for ApacheCore.dsp. All the patch does is add the following preprocessor symbol to the compile line: /D "EAPI" This is already handily covered by the Win32 command-line builds and the UNIX builds, but not by the VC++ build. I don't know how to make this a clean diff; I don't think the SECURITY_HOLE_PASS_AUTHORIZATION symbol is the default. //depot/prod/champagne/main/src/apache_1.3.26/src/ApacheCore.dsp#4 - /u/rtsai/p4/champagne/src/apache_1.3.26/src/ApacheCore.dsp --- /tmp/tmp.1831.0 Wed Oct 9 11:35:54 2002 +++ /u/rtsai/p4/champagne/src/apache_1.3.26/src/ApacheCore.dsp Wed Oct 9 11:04:09 +2002 @@ -43,7 +43,7 @@ # PROP Ignore_Export_Lib 0 # PROP Target_Dir "" # ADD BASE CPP /nologo /MD /W3 /O2 /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /FD /c -# ADD CPP /nologo /MD /W3 /O2 /I ".\include" /I ".\os\win32" /I ".\os\win32\win9xconhook" /D "NDEBUG" /D "WIN32" /D "_WINDOWS" /D "WIN32_LEAN_AND_MEAN" /D "SECURITY_HOLE_PASS_AUTHORIZATION" /Fd"CoreR\ApacheCore" /FD /c +# ADD CPP /nologo /MD /W3 /O2 /I ".\include" /I ".\os\win32" /I +".\os\win32\win9xconhook" /D "NDEBUG" /D "WIN32" /D "_WINDOWS" /D +"WIN32_LEAN_AND_MEAN" /D "SECURITY_HOLE_PASS_AUTHORIZATION" /D "EAPI" +/Fd"CoreR\ApacheCore" /FD /c # ADD BASE MTL /nologo /D "NDEBUG" /win32 # ADD MTL /nologo /D "NDEBUG" /mktyplib203 /win32 # ADD BASE RSC /l 0x809 /d "NDEBUG" @@ -69,7 +69,7 @@ # PROP Ignore_Export_Lib 0 # PROP Target_Dir "" # ADD BASE CPP /nologo /MDd /W3 /GX /Zi /Od /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /FD /c -# ADD CPP /nologo /MDd /W3 /GX /Zi /Od /I ".\include" /I ".\os\win32" /I ".\os\win32\win9xconhook" /D "_DEBUG" /D "WIN32" /D "_WINDOWS" /D "WIN32_LEAN_AND_MEAN" /D "SECURITY_HOLE_PASS_AUTHORIZATION" /Fd"CoreD\ApacheCore" /FD /c +# ADD CPP /nologo /MDd /W3 /GX /Zi /Od /I ".\include" /I ".\os\win32" /I +".\os\win32\win9xconhook" /D "_DEBUG" /D "WIN32" /D "_WINDOWS" /D +"WIN32_LEAN_AND_MEAN" /D "SECURITY_HOLE_PASS_AUTHORIZATION" /D "EAPI" +/Fd"CoreD\ApacheCore" /FD /c # ADD BASE MTL /nologo /D "_DEBUG" /win32 # ADD MTL /nologo /D "_DEBUG" /mktyplib203 /win32 # ADD BASE RSC /l 0x809 /d "_DEBUG" -- Robert Tsai [EMAIL PROTECTED] http://www.netapp.com/ 404-228-9983 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
triple des
Hi, i want to use ssl with triple DES encryption. Is this possible? Which certificate i need? With openssl ciphers -v 'RSA:!EXP:!NULL:+HIGH:+MEDIUM:-LOW' i created my cipher-spec string. But apache always uses rc4 encryption What i have to do to use triple des?? Thank you! Josef ps: i use suse 8.0, apache 1.3, mod_ssl, openssl... -- +++ GMX - Mail, Messaging & more http://www.gmx.net +++ NEU: Mit GMX ins Internet. Rund um die Uhr für 1 ct/ Min. surfen! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Question about session-cache algorithms
Hi. I've been looking at the algorithms modssl uses for managing the SSL session cache in shared memory, and specifically at the newer "cyclic buffer" algorithm. I have an question/idea/rambling about it, it's going to be a little long, sorry ;) I believe the cyclic-buffer design is very good, especially its natural handling of expiration and overflow of the cache before sessions expire. The time-complexity of additions of new sessions to the cache, as well as that of expiring old ones or making more room when needed, is O(1) (where N is the number of sessions in the cache), and these operations always succeed. However, it appears to me that the session-cache lookup is *not* O(1), and I've been wondering if this is considered acceptable, e.g., because other Apache and hardware constraints limit the server's scalability anyway? As I mention below, the current lookup algorithm is indeed very good for all "normal" session-cache sizes, so my question is more theoretical, about how well it will scale as very-high-end servers get better specialized hardware, have more memory, and expect to handle higher loads. If I understand correctly, the lookup works by searching the index of a whole "division" (when a cache is full, 1/256 of the N entries or more, usually around sqrt(N) entries), one by one, until a match for the second byte is found (at which point the whole session id is compared). For N < 65000 or so, this means (again, if I understand correctly) a lookup length of around sqrt(N)/2. For larger N, the lookup length is worse, around N/256/2, with the search becoming even slower because the second-byte comparisons start yielding more false positives at this point. As always, O(sqrt(N)) or O(N) complexities become worse as N increases. When N=65536, and the cache is full, the average number of comparisons for a session-id lookup is (if I'm calculating correctly) 128. When N=131072, the average number of comparisons for a lookup grows to 256, and the fact that only 2 bytes are used for the quick comparison will start taking its additional toll. To put the numbers in perspective (and to show that the example Ns above are untypically large), a session cache of size 500Kbytes is typically used in Apache, making room for only about N=3000 session-cache entries. In this case, the typical number of one-byte comparisons a lookup needs is roughly 32 (if I'm calculating this correctly). This is certainly not bad, and should give excellent results for this algorithm (as indeed I see people are reporting). While N=3000 is typical, N=65536 is probably not because it results in a very big cache, about 10MB. N=131072, 20MB, is probably considered ridiculously large. Is this why such N's were considered uninteresting and this lookup algorithm was deemed good enough in all practical cases? If anyone is wondering why I'm thinking about this issue, and why someone may want more than the 500Kbyte session-cache (N=3000 sessions), think about the following calculation: let's say that from a bit of research you find that most browsers will reuse a session within two minutes of its first creation. If you want the session cache to hold each new session for two minutes (120 seconds), you would want to hope that you will not get more than 25 (=3000/120) new sessions (i.e., new users) per second. For most moderately-loaded servers with ordinary hardware, this assumption is good - the CPU might not even be able to handle much more than 25 RSA operations per second, and 25 new sessions a second translates to 2 million SSL sessions a day - a very busy server indeed. But what about a very-high-end server with an "SSL acceleration" card (a card that, among other things, does RSA operations in hardware)? Such cards are typically rated for doing 1,000, or even much more, RSA operations per second, meaning that the server can theoretically now easily handle, for example, 500 new sessions per second (I'm saying theoretically, because in real life Apache might not be able to handle such a load because of limits on the number of processes, memory, and so on). 500 new sessions per second, each we hope to keep for 120 seconds, dictates 60,000 entries in the session cache. For example. Anyway, if such huge session caches will ever be of interest, perhaps the lookup algorithm should be replaced by something else, perhaps an additional simple hash table using the session-id as key (no need for hash function other than a modulo)? I'm not talking about a complicated generic hash table like the "ht" session cache - I'm talking about a simple array of indices pointing into positions of the cyclic buffer, and each entry in that buffer will also hold "next" indices for keeping the bucket's chain. If we assume that no "subcache" will hold more than 65536 entries, we can use 2-byte indices for all those "pointers", and such hash-table's overhead will be as low as 4-6 bytes per session in the cache. A slight computational overhead will also be incur
